Security Guide

Password Security Guide: Entropy, Patterns & Best Practices for 2026

Q: What is password entropy and why does it matter?

Password entropy is a measure of unpredictability expressed in bits. It is calculated as H = L × log₂(N) where L is the password length and N is the size of the character pool. Higher entropy means more possible passwords and exponentially longer cracking times. A 16-character password from a 94-character pool has 105 bits of entropy — effectively uncrackable with any realistic attack.

Q: How do attackers crack passwords?

The main attack methods are: dictionary attacks (trying common words and known passwords), rule-based attacks (applying mutations like capitalising the first letter, appending digits, or substituting letters with numbers), brute-force attacks (trying every possible combination), and credential stuffing (using username-password pairs from previous breaches on other services).

Q: Is it safe to check my password strength online?

Only if the tool runs entirely in your browser and never sends your password to a server. Verify by checking the Network tab in DevTools — zero outbound requests should be made when you type your password. All strength analysis should happen via local JavaScript.

Q: What are the most common password mistakes?

The most common mistakes are: password reuse across multiple accounts (one breach compromises all), using personal information like birthdays or names, simple keyboard patterns like qwerty or 123456, short passwords below 12 characters, and using words with predictable substitutions like p@ssw0rd.

Passwords remain the primary line of defence for most online accounts, yet most people use them incorrectly. This guide covers the mathematics of password security, how attackers actually crack passwords, which patterns make passwords predictable, and a practical framework for securing every account you own.

How Password Cracking Actually Works

Understanding how attackers crack passwords is essential for understanding why password advice exists. Modern password cracking typically happens offline: after a data breach, attackers obtain a database of hashed passwords and then attempt to crack them on their own hardware at full speed, without any account lockout or rate limiting.

Dictionary Attacks

Attackers maintain wordlists containing hundreds of millions of known passwords from previous breaches, common words in all major languages, and password patterns observed in historical breach data. Tools like Hashcat can process billions of dictionary entries per second on modern GPU hardware.

Rule-Based Attacks

Attackers apply transformation rules to every word in their dictionary: capitalise the first letter, append digits 0–99, substitute 'a' with '@', substitute 'e' with '3', append the current year. These rules systematically generate millions of variants from a single dictionary entry, which is why passwords like "Password123!" or "p@ssw0rd" are cracked within seconds.

Credential Stuffing

When passwords from one service are compromised, attackers test them against other services using automated tools. If you reuse passwords, a breach of one low-security service can cascade into compromise of your email, banking, and social accounts. This is why unique passwords for every account is not optional — it is the baseline.

Brute Force

For short passwords or when simpler attacks fail, brute force tries every possible combination. A 6-character password using only lowercase letters has 26⁶ = 308 million combinations — cracked in under a second on any modern GPU. Length is your most powerful defence against brute force.

Password Entropy: The Mathematics of Unpredictability

Entropy — measured in bits — quantifies how many guesses an attacker needs to crack a password in the worst case. The formula is H = L × log₂(N), where L is the password length and N is the number of characters in the pool.

Critically, entropy only reflects the theoretical maximum for randomly generated passwords. Human-chosen passwords have far less effective entropy because people follow predictable patterns — capital first letter, digits at the end, common substitutions — that reduce the actual search space to a tiny fraction of the theoretical maximum. Only passwords generated by a CSPRNG achieve their theoretical entropy in practice.

Calculate Password Entropy → Check Password Strength →

Breach Patterns: What Makes Passwords Predictable

Analysis of billions of breached passwords reveals consistent patterns that make the majority of human-chosen passwords predictable. Knowing these patterns helps you understand why your own password creation habits may be weaker than you think.

Keyboard Walk Patterns

Sequences of adjacent keys — qwerty, asdfgh, 1qaz2wsx, zxcvbn — appear in the top 0.1% of most-used passwords. Attackers specifically target keyboard walks because they are the natural fallback when users need something "random" without a tool.

Leet-Speak Substitutions

Replacing letters with similar-looking numbers or symbols — a→@, e→3, i→1, o→0, s→$ — is one of the first rule sets applied in modern password cracking. "p@ssw0rd" and "s3cur1ty" are cracked as quickly as their unhashed equivalents because every cracking tool applies these rules automatically.

Date and Year Patterns

Birth years, graduation years, and significant dates appear overwhelmingly in breach databases. Any password containing a four-digit year between 1940 and 2026 is trivially identifiable. Adding "2024" or "1990" to a password provides negligible additional security — attackers try all year suffixes automatically.

Use our Breach Pattern Checker to test any password against 15 pattern categories, entirely locally in your browser. No API call is made — your password never leaves your device.

Practical Password Security Framework

Use a password manager. Bitwarden (free, open-source), 1Password, or KeePassXC. A password manager is the only realistic way to use unique, long passwords for every account.
Generate, don't invent. Human creativity produces predictable passwords. Use our Password Generator for all new credentials. For anything you must memorise, use the Passphrase Generator.
Use 16+ characters for stored passwords. With a password manager, length costs nothing. 20-character passwords for email and financial accounts; 16 characters minimum everywhere else.
Enable two-factor authentication everywhere. 2FA means an attacker needs both your password and your second factor. Even a compromised password cannot be used alone.
Use a strong master password. Your password manager's master password must be memorised — make it a 6–7 word passphrase generated randomly, not a personal phrase.
Check for patterns in existing passwords. If you have older passwords you cannot immediately change, run them through the Breach Pattern Checker to prioritise which need replacing first.

Frequently Asked Questions

What is password entropy and why does it matter?

Entropy measures unpredictability in bits (H = L × log₂N). Higher entropy means exponentially more guesses needed to crack the password. Only randomly generated passwords achieve their theoretical entropy; human-chosen passwords have far less due to predictable patterns.

How do attackers crack passwords?

Primarily via dictionary attacks, rule-based mutations (capitalise, append digits, apply leet-speak), credential stuffing from previous breaches, and brute force for short passwords. Modern GPU hardware can test billions of password guesses per second against breached hash databases.

Is it safe to check my password strength online?

Only if the tool runs locally in your browser with zero server contact. Our Password Strength Checker processes everything locally — no outbound requests are ever made with your password.

What are the most common password mistakes?

Password reuse, using personal information, keyboard patterns (qwerty, 123456), short passwords under 12 characters, and predictable substitutions like p@ssw0rd. All of these are specifically targeted by modern cracking tools.